Re: DKIM: Does DKIM provide adequate protection from a malicious domain from spoofing a sender's address?

[Michael Thomas <mike@xxxxxxxx>]

Earl Hood wrote:

> [Maybe this is not within the scope of DKIM, but I will ask it
> anyway since it may affect how well DKIM is accepted.]
>
> What prevents a malicious domain from spoofing a sender's address?
> I.e.  Is there anything in DKIM that (effectively) prevents a malicious
> domain from using my personal address, or any one elses address?
>  
This was -- and continues to be -- the subject of much debate. The 
compromise
was to have the mechanics for binding the dkim address (eg i=) to outside
addresses (eg From) addressed in the signing policy draft. Due to time 
constraints,
the text that was in DKIM base did not make it into ssp, but it should 
go back in
the next rev.

I think that the longer term answer with resigners (eg, mailing lists) 
is that
they want to preserve the original DKIM signature bound to the From
address as well as resign it themselves. At some level, resigners (ie,
signers who want to preserve the original From address) will need to be
dealt with in the reputation domain because there is no obvious other
difference between:

From: mike@xxxxxxxx
Sender: list@xxxxxxxxxxxxxxx

and

From: mike@xxxxxxxx
Sender: vile@xxxxxxxxxxx

if the original From signature is missing or broken.

      Mike